"In their presentation, titled "Don't Tell Joanna, The Virtualized
Rootkit Is Dead," the researchers detailed how to use counters that are
external to a system to detect a virtualized rootkit's pull on CPU
resources or other telltale footprints. It's got to be an external
counter, given that a virtualized rootkit sits at the hypervisor level
between the hardware and operating system and controls direct
measurements—i.e., those internal to a system.
The only problem is, by day's end, Rutkowska revealed that the methods simply don't work as advertised. "
"In her presentation, "IsGameOver(), anyone?" Rutkowska refuted
Matasano's, Symantec's ability to detect Blue Pill and described ways
to run away when somebody's trying to track the rootkit using timing
determination.
First, Rutkowska
outlined the Blue Chicken defense. This technique involves running away
when timing determination occurs. Because the hypervisor sits in the
middle, emulating a system, it has the ability to determine if
somebody's trying to do a timing attack on the rootkit. In that case,
she removes the hypervisor."
I got to see Joanna's talk and it was rather amusing.
Article Link: http://www.channelinsider.com/article/Rutkowska+Gets+Last+Laugh+in+Rootkit+CatandMouse
